Another Data Breach Hits Customers... Why Are Retailers Prime Targets for Hackers?

View original image

Recently, a series of large-scale personal information leaks targeting the retail and platform industries has put the overall security systems of these sectors under scrutiny. As hackers have targeted everything from convenience store parcel services to e-commerce platforms, online video services (OTT), and luxury goods platforms, consumer anxiety has been mounting. In particular, despite the recurrence of similar incidents, many companies have focused only on post-incident inspections and apologies, leading to criticism that such after-the-fact, patchwork responses have become entrenched practices.

According to industry sources on June 11, a recent incident in which customer personal information was leaked from the CU convenience store parcel service operated by BGF Retail has once again highlighted the vulnerabilities in the security systems of the retail industry. As it was revealed that sensitive information such as names, contact details, and addresses was compromised, consumer concerns have intensified. Industry experts point out that this incident is not a problem specific to a single company but rather exposes widespread security risks prevalent throughout the entire retail sector.

In fact, since last year, both major domestic and international retail and platform companies—including GS Retail (GS25, GS Shop), Coupang, CJ, Tving, Mustit, Papa John's Korea, as well as Dior, Louis Vuitton, and Adidas—have experienced a series of both major and minor personal information leaks. These incidents have occurred across all sectors, including convenience stores, e-commerce, luxury brands, food service companies, and OTT platforms, making personal information protection a challenge for the entire industry rather than just an issue for individual companies.

View original image

According to data submitted by the office of Lee In-young, a member of the National Assembly's Political Affairs Committee from the Democratic Party of Korea, to the Personal Information Protection Commission, a total of 139 companies have been fined for personal information leaks over the past four years since 2022. Among these, retail companies—including those in e-commerce, food and beverage, apparel, and travel—accounted for 34 cases (24.4%), the highest proportion. IT and platform companies followed with 32 cases (23.0%). Combined, these two sectors represent nearly half (47.4%) of all cases involving penalties for information leaks. In contrast, the financial sector—which is subject to stringent security regulations—recorded only 14 cases (10.0%), indicating that the frequency of leaks in the retail and platform industries is nearly five times higher than in the financial sector.

The reason the retail industry has become a primary target for hackers is its vast troves of data assets. Security professionals explain that hackers now regard the databases of retail companies as high-value assets, comparable to those held by financial institutions.

Financial information is difficult to access and is protected by multi-factor authentication and additional security procedures, making it hard to immediately convert into cash. By contrast, data held by retail companies includes names, contact details, addresses, payment methods, refund accounts, purchase histories, and consumption patterns—essentially covering all aspects of daily life. Such information can be used for various secondary crimes, including voice phishing, SMS phishing (smishing), and account hijacking, and thus commands high value on illegal trading markets.

One industry insider stated, "Data that combines addresses, contact details, and consumption patterns is far more valuable than simple personal information," adding, "For hackers, it is an asset as valuable as financial data."

Experts also point to the low level of security investment in the retail industry as a cause of repeated incidents. While most retail companies make large-scale investments in AI-driven recommendation systems, logistics automation, and advanced marketing, there is a strong tendency to view the security sector as a cost center that does not directly generate profits.

Recently, retail companies have expanded services such as simple payment, membership programs, delivery tracking, and personalized recommendation services, integrating with numerous external solutions and partner systems. As data-driven service competition intensifies, the number of entry points for hackers also increases.

Hackers often employ supply chain attacks, targeting relatively less secure partner companies or neglected legacy APIs (application programming interfaces), rather than attacking the headquarters' systems directly. As the number of external linkages grows, the scope of required security management expands, but the corresponding response systems are not keeping pace, according to analyses.

Hot Picks Today

[Exclusive] Both SK hynix and Samsung Halted... Crisis Hits Semiconductor Factories

• "This Is Truly Rare"... 4,400 Employees to Become Millionaires Overnight
• The Sooner You Start, the Better... "Millennials & Gen Z Should Gradually Move Stock Profits 'Here'" [Retirement Pension Investment Strategy] ⑧
• "I Am an Addict"… President's Troubled Son Rises as an SNS Star
• "Vests Over Luxury Brands?"... SK hynix Workwear Becomes a Symbol of Success in Korea

Another industry insider commented, "Retail companies have expanded their businesses by adding new service features on top of old legacy systems. Unless regular vulnerability assessments, real-time penetration testing, and a restructuring of internal access control systems are implemented, personal information leaks will inevitably continue to occur."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.